Skip links
hoggo post banner

Understanding Art. 77: How To Lodge a Complaint Under The GDPR

As our digital footprints grow larger with the increased reliance on online services, understanding our rights related to data privacy becomes more essential than ever. A key piece of legislation governing these rights in the European Union is the General Data Protection Regulation (GDPR). Among the many rights established by the GDPR, one is particularly noteworthy – Article 77 or the Right to Lodge a Complaint with a Supervisory Authority, commonly referred to as the Data Protection Authority (DPA).

art.77

Art. 77 GDPR: The Right to Lodge a Complaint

Under Art. 77 GDPR, individuals are granted the right to lodge a complaint with a DPA if they believe their personal data has been processed in a way that violates the GDPR. It empowers individuals to take action against organizations that mishandled personal data and ensures that data subjects can enforce their rights.

When Can an Individual Submit a Complaint Under The GDPR?

An individual can submit a complaint whenever they believe their rights under the GDPR have been infringed due to the processing of their personal data. This could include instances where an individual believes their data has been processed without their consent, if the data processed is excessive, or if the data has been stored for longer than necessary. It’s important to note that the complaint should be submitted without undue delay.

Any data subject, i.e., an individual whose personal data is being processed, can submit a complaint under Article 77 of the GDPR if they believe their rights under the GDPR have been infringed upon. It’s not exclusive to European citizens. However, the infringement must be in relation to personal data processing activities that fall within the scope of the GDPR, such as when an organization based outside the EU is processing data of an individual inside the EU.

How to Submit a Complaint Under The GDPR?

The process for submitting a complaint varies slightly between different DPAs but typically involves submitting a written complaint that describes the nature of the alleged GDPR violation. Some DPAs have online forms that individuals can use to lodge their complaints. In general, the complaint should include:

  • Full contact details of the individual submitting the complaint.
  • The name and contact details of the organization they are complaining about.
  • A detailed description of the alleged GDPR violation, including any evidence to support the claim.
  • If applicable, any steps that have been taken to resolve the issue directly with the organization.

What Documents Are Needed?

It is important to provide as much relevant information as possible when lodging a complaint. This includes any communications with the organization regarding the issue, evidence of the data processing in question, and any other supporting documents. While not all DPAs require documentation for the initial complaint, having these documents on hand can speed up the investigation process.

Please note that if someone is submitting the complaint on your behalf, you might need to include a power of attorney (POA). 

Make sure to keep any reference numbers, documents and dates as your complaint might be forwarded from one DPA to another. 

Which Data Protection Authority to Approach?

Complaints should be lodged with the DPA in the EU member state where the individual resides, works, or where the alleged infringement occurred. For instance, if a French citizen believes their data has been misused by a company based in Ireland, they can lodge their complaint with either the French or Irish DPA.

In order to make your life easier, we have prepared a table with the relevant contact details and links of the DPA, according to the relevant jurisdiction: 

Country

DPA

Website

Email

File a Complaint

Austria

Österreichische Datenschutzbehörde

http://www.dsb.gv.at/

[email protected]

Complaint form

Belgium

Autorité de la protection des données – Gegevensbeschermingsautoriteit (APD-GBA)

https://www.autoriteprotectiondonnees.be

https://www.gegevensbeschermingsautoriteit.be

[email protected]

Compliant form

Upload here

Bulgaria

Commission for Personal Data Protection

https://www.cpdp.bg/

[email protected]

Send via email

it must be formatted as an electronic document, signed with a qualified electronic signature (QES)

Croatia

Croatian Personal Data Protection Agency

http://www.azop.hr/

[email protected]

Send via email

Cyprus

Commissioner for Personal Data Protection

http://www.dataprotection.gov.cy/

[email protected]

Send via email

Czech Republic

Office for Personal Data Protection

http://www.uoou.cz/

[email protected]

 

Denmark

Datatilsynet

http://www.datatilsynet.dk/

[email protected]

Form or any other way

EDPS

European Data Protection Supervisor

https://edps.europa.eu/

[email protected]

Email

Estonia

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)

http://www.aki.ee/

[email protected]

email

Finland

Office of the Data Protection Ombudsman

http://www.tietosuoja.fi/en/

[email protected]

Form

France

Commission Nationale de l’Informatique et des Libertés – CNIL

http://www.cnil.fr/

 

Form

Germany

Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit

http://www.bfdi.bund.de/

[email protected]

Form

Greece

Hellenic Data Protection Authority

http://www.dpa.gr/

[email protected]

POSSIBLE ONLY FOR CITIZENS!

Hungary

Hungarian National Authority for Data Protection and Freedom of Information

http://www.naih.hu/

[email protected]

POSSIBLE ONLY FOR CITIZENS!

Ireland

Data Protection Commission

http://www.dataprotection.ie/

[email protected]

Form

Italy

Garante per la protezione dei dati personali

http://www.garanteprivacy.it/

[email protected]

[email protected]

Latvia

Data State Inspectorate

https://www.dvi.gov.lv/

[email protected]

[email protected]

Lithuania

State Data Protection Inspectorate

https://vdai.lrv.lt/

[email protected]

[email protected]

Luxembourg

Commission Nationale pour la Protection des Données

http://www.cnpd.lu/

[email protected]

Online form

Malta

Office of the Information and Data Protection Commissioner

http://www.idpc.org.mt/

[email protected]

Online form

Netherlands

Autoriteit Persoonsgegevens

https://autoriteitpersoonsgegevens.nl/

 

Online form

Poland

Urząd Ochrony Danych Osobowych (Personal Data Protection Office)

https://uodo.gov.pl/

[email protected]

[email protected]

Online form

Portugal

Comissão Nacional de Proteção de Dados – CNPD

http://www.cnpd.pt/

[email protected]

Online form

Romania

The National Supervisory Authority for Personal Data Processing

http://www.dataprotection.ro/

[email protected]

Fill out this form

And send it to:
[email protected]

Slovakia

Office for Personal Data Protection of the Slovak Republic

http://www.dataprotection.gov.sk/

[email protected]

 

Slovenia

Information Commissioner of the Republic of Slovenia

https://www.ip-rs.si/

[email protected]

Download the relevant form here

Spain

Agencia Española de Protección de Datos (AEPD)

https://www.aepd.es/

[email protected]

 

Sweden

Integritetsskyddsmyndigheten

http://www.imy.se/

[email protected]

Online form

 

How Long Does the Process Take?

In accordance with GDPR, DPAs must respond within three months to the individual who made the complaint. However, this period may be extended if necessary, based on the number and complexity of complaints received by a DPA. In the event of such an extension, the DPA must inform the individual within three months of receiving the complaint.

In conclusion, the GDPR and Art. 77 provides individuals the possibility to lodge a complaint regarding a misuse of their personal data or failing to protect it. Understanding how to lodge a complaint with the DPA is an important aspect of enforcing these rights.

Summary

Article 77 of the GDPR, focusing on the Right to Lodge a Complaint with a Supervisory Authority, stands out as a significant empowerment tool for individuals. This provision allows any data subject who believes their personal data has been mishandled in violation of GDPR protocols to file a complaint with their national Data Protection Authority (DPA). This process, while varying slightly among different DPAs, generally requires a detailed written complaint, potentially supported by evidence of the alleged violation. Complaints can be lodged in the member state where the complainant lives, works, or where the alleged infringement took place, facilitating a responsive framework for addressing grievances.

In conclusion, the GDPR and Art. 77 provides individuals the possibility to lodge a complaint regarding a misuse of their personal data or failing to protect it. Understanding how to lodge a complaint with the DPA is an important aspect of enforcing these rights.

Noa_Kahalon
Noa Kahalon
COO at hoggo | + posts

Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, an AI-driven Digital Governance platform that allows legal and compliance teams connect, monitor, and automate digital governance across all business workflows.